When you create a new user in Web Portal (application user, not LDAP user) and do not assign a group, the user can log in and see the entire back end

That behavior is the design. If the user is not assigned any role in Web Portal, by default they are a guest and can see anything on the Metadata Manager UI level.

In order to limit user access to certain areas - and also when using the Metadata explorer - the Administrator user needs to create a group (role) and assign that group to a default configuration, and assign the user to that group. You can assign multiple groups to a user (so they can access more than one configuration).